Accessing content over the World Wide Web (“web”) presents a host of dangers to web users. From computer viruses to Trojan horses, malicious entities are constantly exposing web users to a variety of threats to users' online security. At one end of the security spectrum, these threats can result in temporary service interruptions and require relatively minor computer maintenance. At the other end, such threats can result in the theft of valuable user identification information that can enable a malicious entity to pose as a particular user and impermissibly obtain access to user assets or other valuable information.
One class of online security threat involves exporting executable computer code to a web user's device. Once a web user's device has downloaded an executable, the executable can run on the user's device and potentially inflict damage to the user's device or access user identification information. One scenario in which this may occur is when a user navigates via a web browser to a web site that includes executable code. Due to the dangers presented by sending executable code to web users, many websites forbid the use of executable code within web content provided by certain entities (e.g. web users who upload web content). Executable code encountered on the web is often in the form of a scripting language, such as JavaScript, Python, VBScript, and so on. While many websites employ some type of filter to detect malicious script in web content provided by certain entities, malicious entities have located and exploited loopholes that enable the entities to send malicious executable code to user devices despite such precautionary measures.
One such loophole that occurs is known as cross-site scripting (“XSS”). In XSS, a malicious user can input malicious content, such as a malicious program in a scripting language, into a web page. When an unwary user accesses the web page via a web browser, the malicious content is sent to the user's device along with the other web page content. The malicious program can then run on the user's device and cause damage to the user's device and/or pilfer user information. As mentioned above, many websites forbid users from providing content that contains executable code. However, executable code (e.g., script) can often be hidden in other types of content, such as in markup language content. A filtering process employed by a website might not detect the executable code, and thus the executable code can be sent to web users' devices via the website. Thus, despite such security measures, malicious users are still able to infect web users' devices with malicious executable code.